Editorial: Election security requires redundancy

Friday

Aug 2, 2019 at 4:00 AM

A week ago, the Senate Intelligence Committee released a report confirming the extensive effort on the part of Russian operatives to attack election systems across the country during the 2016 election. The bipartisan report found all 50 states were targeted. It describes “an unprecedented level of activity against state election infrastructure,” largely seeking to identify areas of vulnerability. The report bolsters calls for the federal government to provide states with additional resources to enhance security.

Unfortunately, Mitch McConnell, the Senate majority leader, has resisted efforts to make the funding available, though the House already has acted and federal money allocated two years ago has been spent. The report makes plain the need, noting that while some states have been highly focused on developing a strong culture of cybersecurity, others have made little progress.

What about Ohio? The state is among those at the front. In June, Secretary of State Frank LaRose issued a directive to all county boards of elections, building on past steps by setting in motion several new requirements for upgrading security. LaRose stressed the value of redundancy, of layering numerous complementary and reinforcing approaches.

That explains the secretary calling for the installation of Albert intrusion devices on the networks of all 88 boards. This equipment monitors electronic traffic flow and provides security alerts when the network is violated. The Security Information and Event Management Logging system brings a greater level of sophistication. It collects data from network devices, servers and other elements, trapping the information in a “black box,” allowing officials to see the activity of an intruder.

Both tools are provided by the secretary of state’s office through federal dollars. They are complemented by another layer of protection regarding email. Boards of elections already have taken steps to prevent phishing — attackers sending deceptive email to trick a user into allowing their entry. Now the secretary wants boards to use only a .us or .gov domain name — plus tap services that help to identify whether an email is legitimate, the security sequence similar to the additional layer required by banks.

LaRose also has required boards to request a set of services from the Department of Homeland Security, again, to achieve crucial redundancy. The services include assessing the level of vulnerability by trying to hack into a board network and conducting a “cyber threat hunt,” an in-depth review to see whether a network has been compromised. Add to the requirements more training and criminal background checks of employees and vendors or contractors.

Is all of this too much? A pilot program involving Hocking, Miami and Wood counties has shown good results. The concern isn’t so much that hackers would alter vote totals as it is messing with voter registration data. Recall the recent episodes in Baltimore and Atlanta, attackers essentially locking up city government data. Imagine such an event on the eve of a presidential election, the potential for disruption, not to mention a loss of public confidence in election systems or the core of democratic governance.

That has been a leading message of Robert Mueller, the special counsel who investigated the Russian cyberattack. In his congressional testimony last week, he repeated his warning about Russia trying again in a “sweeping and systematic” way, something that “deserves the attention of every American.” Thus, it is good to see the secretary of state’s office lead in building a culture of security. Now the U.S. Senate needs to join the effort.

Akron Beacon Journal

Never miss a story

Choose the plan that's right for you.
Digital access or digital and print delivery.